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Abstract — We study the problem of characterizing the wormhole 
attack , an attack that can be mounted on a wide range of wireless 
network protocols without compromising any cryptographic quan- 
tity or network node. Making use of geometric random graphs 
induced by the communication range constraint of the nodes, we 
present the necessary and sufficient conditions for detecting and 
defending against wormholes. Using our theory, we also present 
a defense mechanism based on local broadcast keys. We believe 
our work is the first one to present analytical calculation of the 
probabilities of detection. We also present simulation results to 
illustrate our theory. 

Index Terms — wormhole, security, vulnerability, ad hoc net- 
works, geometric random graph. 

I. Introduction 

A wireless ad hoc network may be deployed in hostile 
environments, where network nodes operate un-tethered. In 
addition, the wireless medium exposes any message transmis- 
sion to anyone located within the communication range. In 
this paper we investigate a specific type of emerging security 
threat known as the wormhole attack [1], [2]. In a wormhole 
attack an adversary records information at an origin point, 
tunnels it (via a faster or direct link) to a destination point 
more than one-hop away, and retransmits the information in the 
neighborhood of the destination. Since a wormhole attack can 
be launched without compromising any node, or the integrity 
and authenticity of the communication, the success of the attack 
is independent of the strength of the cryptographic method 
that protects the communication. Hence, a wormhole attack is 
implemented with few resources and is difficult to detect. 

Several approaches have been presented for defending 
against the wormhole attack [1 ]— [3] . The solutions proposed 
attempt to bound the distance that any message can travel using 
time-based methods [1], [3], cryptography [2], or exploiting 
location information [1]. Time-based methods either rely on 
tight synchronization between the network nodes [1], or on 
measuring the time of flight of a challenge-response [3] using 
clocks with nanosecond accuracy. Location-based methods also 
require loose synchronization between nodes [1]. In [2], net- 
work nodes use cluster keys to broadcast to their immediate 
neighbors. However, the authors of [2] noted their system is 
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vulnerable to wormholes during the key establishment phase, 
due to lack of any verification mechanism. On the other hand, 
we present a solution that utilizes a combination of location 
information and cryptography to prevent the wormhole attack. 
We list our contributions next. 

Our contributions : We present a graph theoretic model for 
characterizing the wormhole attack and derive the necessary 
and sufficient conditions for any candidate solution to prevent 
wormholes. Using our theory, we then propose a Local Broad- 
cast Key (LBK) based method to secure an ad hoc network 
from wormhole attacks. In doing so, we show that LBK solu- 
tion satisfies the necessary graph theoretic condition. We also 
present a decentralized realization for LBK establishment, and 
provide an analytical evaluation of the security level achieved 
by our scheme based on spatial statistics theory. 

Unlike in [1], [3], our solution does not require time 
synchronization, or highly accurate clocks, and only a small 
fraction of nodes need to know their location. Our approach 
has low overhead in computation and communication, suitable 
for wireless sensor networks. 

The paper is organized as follows: The Section II describes 
the wormhole problem, and its graph theoretic representation. 
In Section III, we state our network model assumptions. 
Section IV shows how LBKs defend against wormholes and 
the presents a mechanism to establish them. In Section V, 
we describe how to secure LBK establishment mechanism 
from wormholes. In Section VI, we present the performance 
evaluation, and Section VII presents our conclusions. 

II. Problem Statement 
A. Description of wormhole 

To launch a wormhole attack, an adversary establishes a 
direct link referred as wormhole link between two points in 
the network. A direct link can be established via a wireline, a 
long-range wireless transmission, or an optical link. Once the 
wormhole link is operational, the adversary eavesdrop messages 
at one end, referred as the origin point , tunnels them through 
the wormhole link and replays them in a timely fashion at the 
other end, referred as the destination point. 

In the wormhole model, it is assumed that the adversary 
does not compromise the integrity and authenticity of the 
communication, and any cryptographic quantity remains secret. 




Wormhole tunnel 


Fig. 1. Wormhole attack against a distance vector based routing protocol. 

If an adversary had access to cryptographic keys, it could 
generate and forge any authentic message, and inject it back 
into the network with no assistance from wormholes. 


B. Wormhole threat against network protocols 

Various wormhole attack scenarios disrupting network pro- 
tocols and applications are available from [1], [4]. We now 
illustrate how a wormhole attack can disrupt the distance vector 
based ad hoc routing protocols such as DSDV [5] or ADV [6]. 

Figure 1 presents an ad hoc network of 1 3 nodes and a worm- 
hole link between nodes 8 9 and 82. If the routing table of node 
89 is tunneled through the wormhole link, node 82 will hear 
the broadcast and assume that node 89 is a one-hop neighbor. 
Node 82 will update and broadcast its routing table entries for 
one-hop neighbor node 89, and nodes {8§, 810, sn, 812} that 
are now reachable via two hops. Similarly, other neighbors 
of 82 will adjust their own routing tables. Note that nodes 
{81, 83, 84, 85, 87} will now route via s 2 to reach any of the 
nodes {89, 810, sn, 812}. Hence, with minimal resources, an 
attacker can redirect and observe a large amount of traffic as 
desired. Furthermore, by simply switching the wormhole link 
on and off, the attacker can trigger a route oscillation within 
the network, thus leading to a denial-of-service (DoS) attack. 

From these examples, we note that a wormhole in essence 
creates a communication link between an origin and a desti- 
nation point that could not exist with the use of the regular 
communication channel. Hence, a wormhole modifies the con- 
nectivity matrix of the network and can be described by a graph 
abstraction of the ad hoc network as described next. 


The existence of wormhole links violates the geometric graph 
model, by allowing links longer than r, thus transforming the 
initial geometric graph G(V,r) into a logical connectivity graph 
G(V,Eq), where arbitrary connections can be established. 
Hence, a non-trivial wormhole will always increase the entries 
of the connectivity matrix of G(V,r). 

A candidate solution preventing the wormhole attack should 
reconstruct the original geometric random graph G(V, r), or by 
imposing a less strict requirement, should transform the logical 
graph G(V,Eq) to a logical graph G' (V : Eg'), in which, for 
any link between a pair of nodes i, j, condition 1 is always 
satisfied. We formalize these ideas in theorem 1. 

Theorem 1: Given a geometric random graph G(V,r) de- 
fined as in (1), and an arbitrary logical graph G(V,Eq), a 
transformation S : G x G — > G' of G(V,Eq) into a logical 
graph G'(V, Eq') is a solution to the wormhole problem iff the 
set of edges of G' is a subset of the set of edges of the G(V, r), 


i.e. Eqi C Eq - 

Proof: Assume that G' = S(G , G) prevents the wormhole 
attack. Let Cx denote the connectivity matrix of graph X. If 
Eg' £ Eg, there a exist a pair of nodes (i,j) for which: 
Cdhj) = 0 and Cg'(tj) — 1- For such node pairs, 
e(i,j) = 1 , with ||i — j\\ > r, violating the communication 
range constraint. Hence, in order for S(G,G) to prevent the 
wormhole attack, it follows that: Eg' Q Eg- 

The converse follows immediately. If Eg 1 C Eg, then 
Cg' (hj) < Cg{t 7), Vi, j £ V. Hence, there is no edge 
e'{i,j) G Eg' such that e'(i,j) = 1, ||i — j || > r, and hence, 
the graph G' is void of any wormhole. ■ 

A trivial graph G' with no links {Eg 1 = 0 ) satisfies the 
conditions of the theorem 1 . However, to ensure communication 
between all network nodes, we seek solutions that construct a 
connected graph. 

We also note that the transformation G' = S(G , G) requires 
the knowledge of the geometric random graph G(V,r), defined 
by the location of the vertices, and the communication range r. 
When nodes do not have a global view of the network (know the 
location of other nodes), to verify theorem 1, we must indirectly 
construct a connected subgraph of the geometric random graph 
G(V,r). Before we present our solution on constructing such 
subgraph, we describe the needed network model assumptions. 


C. A Graph theoretic formulation. 

Consider an ad hoc network randomly deployed with any 
node i having a communication range r. Such a network can be 
modeled as a geometric random graph [7], defined as follows: 

Geometric Random Graph: Given a finite set of vertices V C 
lZ d (d = 2 for 2-dimensional space), we denote by G(V,r) 
the undirected graph with vertex set V of randomly deployed 
nodes, and with undirected edges connecting pairs of vertices 
{i,j) with \\i — j || < r, where || . || is some norm on 7Z d [7]. 
The entries of the edge, or connectivity matrix, denoted by e, 
are given by: 


e(i,j) = 


i lj 

if 

i- 3 

1 0, 

if 

i -J 


< r 
> r 


( 1 ) 


III. Network Model Assumptions 

Network setup: We assume that the network nodes are ran- 
domly deployed within a specific region. We also assume that 
a small fraction of network nodes, called Guards is assigned 
special network operations. Density of the regular network 
nodes is assumed to be p s , and the density of the guards 
is assumed to be p 9 , with p s p g . We assume that all 
nodes utilize omnidirectional antennas. Communication range 
of regular nodes is r, while that of guards is R with R > r. 
Resource constraints: We assume that guards have access to 
location information through GPS [8] or some other localization 
method, though regular node may have no location information. 






We also assume that nodes rely on efficient symmetric cryp- 
tography for encryption/decryption, authentication and hashing. 
We also assume that nodes can be pre-loaded with keys. 
Statistical network model: It can be shown [11] that the 
random deployment of the nodes and guards in an area A 
can be modeled after a Spatial Homogeneous Poisson Point 
Process [11]. The random placement of the set U of guards 
with a density p g = ^ ( | • | denotes the cardinality of a set) 
is equivalent to a sequence of events following a homogeneous 
Poisson point process of rate p g . The random deployment of 
a set S of nodes with a density p s = is equivalent to a 
random sampling of A with rate Ps [11]. 

Based on Spatial Statistics theory [11], if GH S denotes the 
set of guards heard by a node 8, the probability that a node 
hears exactly k guards is given by the Poisson distribution: 

P(\GH S \ =k)= e ~p9 7rR2 ( 2 ) 

IV • 

Using the model in (2), we will analytically evaluate the 
performance of our algorithms. 


IV. Local Broadcast Keys 

In this section, we first define LBKs and show that LBKs can 
be used to defend against wormhole. We then present details 
of a decentralized mechanism for establishing LBK, followed 
by a probabilistic analysis of the security of LBK scheme. 

Definition: For a node i. we define the neighborhood N t as: 
Ni = {j • |K — ill < r }- Given a cryptographic key K , let Uk 
denote the set of nodes that hold key K. We assign a unique 
key Ki called LBK of i, to all j E Ni so that Uk, = Ni and 
Ki Kj , \/i j. Hence, by definition, all one-hop neighbors 
of node i possess the LBK of node i. We follow the convention 
that any message from node i to j is encrypted with Ki . Hence, 
a link between nodes i, j exists iff i E N 3 or j E Ni. 

Theorem 2: Given Ki , Ni , \/i E V, where V is the set of 
vertices defined by network nodes, and an arbitrary logical 
random graph G(V,Eq), the edge matrix Eqi , defined by: 


e G'{i,j) 


1, if i G U K: , U j G Uk, 
0, if Else 



yields the desired wormhole-free graph G'(V,Eg') such that 
Eg' G Eg , where G(V,r) is the geometric random graph 
defined in (1). 

Proof: By the definition of Egg there exists a link 

eG'ifj) if and only if the two nodes hold at least one LBK. 
But, according to the definition of LBK, a node i E Uk 3 
iff i E Nj, which in turn implies that i, j satisfy (1), which 
defines the links of the geometric random graph G(V,r). 
Hence, eG'(i,j) = 1, iff IK ~ j\\ < r - Hence, Eg 1 = Eg and 
therefore, G' = G. According to theorem 1, if a transformation 
S(G,G) results in a graph G'(V,Eg') such that Eg' G Eg, 
then G' is a wormhole-free graph. ■ 

Note that given LBKs for all nodes, wormholes can be 
eliminated without ever having to know the location of any 
node. However, the challenge is to establish LBKs in the 
presence of wormhole links and no central authority. 


A. Decentralized establishment of local broadcast keys 

We present a three-step algorithm for LBK establishment. 
In the first step, the guards distribute fractional keys FKi to 
nodes via broadcasting. In step 2, every node broadcasts the 
Ids of the fractional keys that it holds. If two nodes share 
more than a threshold th number of fractional keys, they use 
all common fractional keys to generate a pairwise key. In 
step 3, every node uses the pairwise keys to securely unicast 
a local broadcast key to each neighbor. We first present the 
cryptographic mechanisms of our LBK scheme. 

1 ) Cryptographic Mechanisms 

Encryption: To protect the distribution of the fractional keys, 
all transmissions from the guards are encrypted with a globally 
shared symmetric key Kq, pre-loaded before deployment. In 
addition, every node shares a symmetric pairwise key Kf- with 
every guard also pre-loaded. In order to save storage space 
at the guard side, the pairwise key Kf is derived by a master 
key K g . , using a pseudo-random function [12 \h and the unique 
node I dp Kf = hx g . ( Idi ). Hence, given an Idi , a guard can 
compute its pairwise key with the node Idi whenever needed. 
Guard Id authentication: To authenticate the source of the 
fractional keys we use efficient one-way hash chains [9]. Each 
guard Qi has a unique password PWi, blinded with the use 
of a collision-resistant hash function such as SHA1 [12]. 
Due to the collision resistance property, it is computationally 
infeasible for an attacker to find PWf such that H(PWf) = 
H(PW[ ), PWi PWf The hash chain is generated as 
follows: 

H° = PWi, iT = i = 1, ■ ■ ■ ,n 

with n being a large number and H° never revealed to 
any node. Due to the one-way property it is also infeasible 
to compute any values of the hash chain that have not be 
published by a guard. Each node is pre-loaded with a table 
containing the Id of each guard and the corresponding hash 
value H n (PWi). To reduce the storage needed at the guard 
side, guards use an efficient storage/computation method for 
hash chains of time/storage complexity 0(log 2 (n)) [10]. 

2 ) Steps of the key establishment scheme 

[Step 1:] Initially, every guard gi generates a random fractional 
key FKi and broadcasts it. The broadcast message also con- 
tains the coordinates (2Q, Yf) of the guard, the next unpublished 
value of the hash chain, H n ~ rn (PWi ), and the hash chain 
index m (m also indicates how many beacons has each guard 
transmitted). The message format is: 

Guard 3i : {FKi\\(Xi,Y)\\H n ~ m (PWi)\\m} Ko , (4) 

where {A\\B}k denotes concatenation of A, B and 
encryption with key K. Every node verifies that 

H (H n ~ m (PWi)) = H n ~ 171+1 (PWi) ^ for all received 

messages and stores the FKi , the coordinates (Xi,Yi), the 
latest published hash value of the hash chain, H n ~ m (PWi ), 
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Fig. 2. (a) Guards g\ ~ g$ broadcast fractional keys K\ ~ encrypted with the global broadcast key Kq, (b) Nodes announce the Ids of the fractional 

keys that they hold, (c) neighbor nodes that have in common at least three fractional keys ( th = 3) establish a pairwise key. 


and the hash index m. 


[Step 2:] Once the nodes have collected the fractional keys 
from all the guards that they hear, they broadcast a message 
indicating the Ids of the fractional keys that they hold. If 
two neighbor nodes 51,82 have in common fractional keys 
FK \ . . . FK W with w above a threshold th , they establish a 


pairwise key : K Sl)S2 = H(FKi\\FK 2 \ 
is a collision-resistant hash function [ 9 ], 


FK W ), where H 


[Step 3 :] After pairwise keys have been established with one- 
hop neighbors, every node generates an LBK Kj and unicasts it 
to every neighbor encrypted with the pairwise key K s .^ s . . Each 
node stores its own broadcast key Kj used for encrypting its 
own messages, and also stores all broadcast keys of its one-hop 
neighbors in order to decrypt their broadcast messages. 

In figure 2 (a) the guards g\ ^ g$ distribute the fractional keys 
to nodes 81 ~ 87, encrypted with the global key Kq. In figure 
2 (b), we show the set of guards that each node hears. In figure 
2 (c), by setting the threshold value th — 3 , node 81 establishes 
a pairwise key with all its immediate neighbors. Node 81 
will distribute a local broadcast key K Sl to all its immediate 
neighbors 81 ~ 85 using the pairwise keys established in step 
2 . In figure 3 , we summarize our decentralized local broadcast 
key establishment scheme. 

Decentralized local broadcast key establishment scheme 


U = {Set of guards}, S = {Set of nodes} 

U : Broadcast {FKi\\(X i ,Y i )\\H n ~ rn (PWi)\\m} Ko 
S : Verify H(H n ~ k (PWj )) = H n - k+ 1 (PWi), V g { G GH, 


S : Broadcast ID S . = {ID1WID2 
for all Si G S 

for all ID Sj heard by Sj 

if\r&iD Si ,iD Si )\>th, 


I ID W }, \GH S \ = w 


Sj G N,_ 


K Si , Sj = H(FK 1 \\FK 2 \\...\\FK W ) 


N Si = N St U {sj} end if end for 


end for 
for all Si G S 

for all Sj G N s . 

Si - Sj : {K Si } K end for end for 


Fig. 3. The decentralized local broadcast key establishment scheme. 




30 


Fig. 4. (a) All guards located in the shaded area A c are heard to both nodes 

s 1 , S 2 , (b) Pkey f° r a variable threshold value equal to th = \GH Sl \ — 3. 


B. Setting the key establishment threshold 

Since nodes and guards will be randomly deployed within the 
network region, specific number of guards heard by nodes may 
vary. Hence, each node needs to locally decide the threshold 
th based on the number of guards that it hears. 

Consider figure 4 (a), and assume that a node 81 can hear 
\GH Sl | guards. The probability Pk ey that 81,82 hear at least 
th common guards given that \GH Sl \ guards are heard by 81 
is equal to the probability that at least th guards are located 
within the shaded area A c , given that \GH Sl \ of them are 
located within the communication area of A Sl of 81. Due to 
the random guard deployment, if \GH Sl \ guards are located 
within a specific region, those guards are uniformly distributed 
[ 11 ]. Hence, the probability for one guard to be within A c 
is p g = - 4 ^. The probability that more than th guards are 


deployed within A c , given that a total of | GH Sl \ are deployed 
within ttR 2 is: 


Pi 


key 


= P(\GH Ar \>th\ \GH Sl | = k) 

72 ' / b \ 


2 = 0 
k — th 


th + i J 9 



A 


2=0 


th + i) ttR 2 




C \ k — th — 2 


( 5 ) 


where A c can be computed from figure 4 (a) by: 

l 


(j) = cos' 


2 i?’ 


A c = 2 R cj) — Rl sin 0 


( 6 ) 


with l = || 81 — 82 1 | . Using ( 5 ), (6), each node can determine 
its threshold th. In figure 4 (b), we present Pk ey for different 



Fig. 5. A wormhole attack against the broadcast of fractional keys. 


values of guards heard \GH Sl \ and distances ||si — ^2 1 1 , for 


th = | GH Sl | — 3. 


V. Securing the broadcast of fractional keys 

Though once established LBKs prevent wormholes (informa- 
tion encrypted at a neighborhood N{ with an LBK Ki cannot 
be decrypted outside Nf), an adversary can mount wormhole 
during the distribution of the fractional keys. We now provide 
mechanism to secure the fractional key distribution. 


A. Wormhole attack against the fractional key distribution 

Consider figure 5, where an adversary establishes a bi- 
directional wormhole link between nodes 81,82, with 81,82 
being several hops away. In step 1 of the local broadcast key 
establishment scheme, guards broadcast their fractional keys. 
The adversary records all messages heard by 81, 82 and replays 
the messages heard to s\ in the vicinity of 82, and messages 
heard by 82 in the vicinity of s\. After the replay, 51,82 have 
a common set of fractional keys GH Sl (J GH S2 . 


B. Detection of the wormhole attack 

We now show how a node can detect a wormhole attack 
during the fractional key distribution using two properties: 

Single guard property: Reception of multiple copies of an 
identical message from the same guard is due to replay or 
multipath effects. 

Proof: Since guards include a different hash value from 
the hash chain on every message they transmit, if a node 
receives an identical message more than one times, it can only 
be because, (a) a malicious entity replays the message or (b) 
there are multipath effects. If we treat multipath effects as a 
replay attack, then any node receiving the same transmission 
multiple times, assumes it is under a replay attack. ■ 

In figure 6(a), A s denotes the area where guards heard to 
node 8 are located (circle of radius R centered at 8), A 0 denotes 
the area where guards heard at the origin point of the attack 
are located (circle of radius R centered at O) and A c denotes 
the common area A c = A s n A 0 . An adversary that records 
guards’ transmissions heard at point O and replays them to 
node 8 can be detected due to the single guard property with 
a probability P(SG ) equal to the probability that at least one 
guard lies within A c , 

P(SG) = P(\GH Ac \ > 1) = 1 - e~ p ^ 


In figure 6(b), we show the detection probability P(SG ) for 
guard densities p g , for distances 0 < \\s — 0\\ < 3 R, normalized 
over R. We observe that if \\s — 0\\ > 2 R, the single guard 
property cannot detect a wormhole attack. We make use of the 
following property to identify wormholes when \\s — 0\\ > 2 R. 


Communication range constraint property: A node 8 cannot 
hear two guards gi , gj E GH S , that are more than 2 R apart, 
i-e. || 9 i - gj || < 2 R, \/i,j, i ± j. 

Proof: Any guard 9i e GH S heard by node s, has to lie 
within a circle of radius R, centered at the node 8, \\gi — 8 1| < 
R , \/i E GH S . Hence, there cannot be two guards within a circle 
of radius R , that are more than 2 R apart. 


1 9i — 9j II < II 9i ~ s ll + || 8 — gj || < R + R — 2 R 


( 8 ) 


We now compute the detection probability P(CR ) based on 
the communication range constraint property. Consider figure 
6(c) where if any two guards within A s , A 0 have a distance 
larger that 2 R the attack is detected. Though P(CR ) is not 
easily computed analytically, we can extract a lower bound on 
P(CR ) as follows. In figure 6(c), the vertical lines defining 
shaded areas Ai , Aj , are perpendicular to the line connecting 
8,0, and have a separation 2R. If there is at least one guard 
in the shaded area Ai and at least one guard in the shaded 
area Aj , then \\gi — gj\\ > 2 R and the attack is detected. Note 
that this event does not include all possible cases for which 
|| gi — gj || > 2 R, and hence it yields a lower bound. 


P(CR) = P{\\gi - gj || > 2 R,g l ,g j G GH S ) 

> P(CRf](\GH Ai \ >On\GH A j > 0)) (9) 

= P (CR\(\GH Ai \ > 0 n \GH Aj \ > 0)) 

P(\GH Ai \ > 0 n \GH Aj \ > 0) (10) 

= P(\GH Ai > 0| n \GH Aj > 0|) (11) 

= (1 - e~ PgAi ){l - e~ p » Aj ) (12) 

where (9) follows from the fact that the probability of the inter- 
section of two events is always less or equal to the probability 
of one of the events, (10) follows from the definition of the 
conditional probability, (11) follows from the fact that when 
GHa % I > 0 H | GHaj I > 0, we always have a communication 
range constraint violation (P(CR\(\GHa x \ > On | GHa 3 > 
0)) = 1), and (12) follows from Ai,Aj being disjoint areas. 

We can show that the lower bound on P(CR ) is maximized 
when Ai = Aj , but the proof is omitted due to space 
limitations. In figure 6(d), we show the lower bound on 
P(CR ), by setting A[ = max^A^} such that Ai = Aj. 
Note that for values \\s — 0\\ > R , P(CR ) is very close to 
unity for any value of p g . The lower bound P(CR) increases 
with the increase of I 8 — O 


and attains its maximum value 
for || 8 — O || = 4 R when Ai = Aj = ttR 2 . For values 
1 8 — O || > 4 R the lower bound on P(CR ) is equal to the 
case of II 8 — Oil = 4 R. 


(7) 


♦ Attacker O Guard 




Fig. 6. Single guard property, (a) a node s cannot hear multiple copies of an identical message, (b) Detection probability P(SG). Communication range 
constraint violation, (c) a sensor cannot hear two guards that are more than 2 R apart, (d) Detection probability P(CR). 


Detection probability of a wormhole attack: By combining 
the two previously presented detection mechanisms we can 
derive a lower bound on the probability of wormhole detection 
P det during the broadcast of the fractional keys. By setting 
Ai = Aj and maximizing Ai regardless of the distance ||s— 0\\, 
the areas Ai,Aj,A c do not overlap as shown in figure 8(a). 
Hence, the events of a guard being located at any of these areas 
are independent and we can derive a lower bound on P de p. 

P det = P(SG U CR) = P(SG) + P(CR ) (1 - P(SG)) 

> (1 - e ~ pgAc ) + (1 - e~ p9A>i ) 2 e~ PaAc (13) 


The quantity in (13) is a lower bound on P det since we 
used the lower bound on P(CR). In figure 8(b), we show the 
lower bound on P det for R £ [0,4i?]. Note that the lowest 
detection probability is P det > 99.48%, attained at p g = 0.01. 
From figure 8(b), we observe that a wormhole attack during the 
distribution of the fractional keys is detected with a probability 


very close to unity, independent of the distance 


01 



Fig. 8. (a) Combination of the single guard and communication range 

constraint properties, (b) Wormhole detection probability Pdet- 


( 1 — e 9 9 ' Kr 2 ) I s I . For a desired probability Pb d , we can compute 
p g A as: 


In (l — yj~ In (l - W) 

r > , pg > 2 ( 14 ) 

7TPg 7T r z 

Closest Guard Algorithm (CGA) 


C. Key establishment in the presence of wormholes 

Although a wormhole can be detected using the two detection 
mechanisms, a node under attack cannot distinguish the valid 
subset of guards from the replayed ones. We now describe the 
Closest Guard Algorithm (CGA) to resolve the guard ambiguity. 

CGA - The node s broadcasts a nonce p along with its Id 
and waits for the first authentic reply from a guard pi. All 
guards that hear nonce 77 , reply with a message containing 
their coordinates, the next hash value of their hash chain and 
the nonce p. The message transmitted from each guard is 
encrypted with the pairwise key K Pi only known to 
The node identifies the guard g[ whose reply arrives first 
as the closest guard to 8. Then using the communication 
range constraint property, it identifies the set GH' S as all the 
guards that are not more than 2 R away from g[, and uses the 
fractional keys received from GH' S to establish pairwise keys 
with its immediate neighbors. 


1. s : Broadcast {p\\Id s }. 

2. if gi hears {t]\\Id s }, 

Reply { (X h Yi) || rj || ID gi || H n ~ m (PW z ) || m } 

3. Identify 9i e GH S that replies first with correct nonce. 

4. Set GH' : { 9i £ GH S 9 \\g[ - 9i \\ < 2 R}. 


K 


9i 


VI. Performance Evaluation 

Simulation setup: We generated random network topologies 
confined in a square area of size *4=10,000. For each network 
topology we randomly placed, (a) 5,000 nodes within A, with 
a communication range r = 4, (b) guards with variable density 
p g and communication range R. To ensure statistical validity, 
we repeated each experiment for 1,000 networks and averaged 
the results. Note that to avoid border effects we considered 
toroidal distance instead of regular Euclidean distance [11]. 


To execute CGA, a node must be able to communicate bi- 
directionally with at least one guard. The probability P s ^ g of a 
node having a bi-directional link is: P s ^ g = 1 — e~ Pa7Tr . From 

P s >g , we can compute the probability Pb d that all nodes can 

bi-directionally communicate with at least one guard: Pb d = 


Key establishment with one-hop neighbors: In our first 
experiment we evaluated the percentage of one-hop (immediate) 
neighbors Pimmed that each node is able to establish a local 
broadcast key with. In figure 7(a), we present Pimmed vs. 
GH S —th for variable guard density p g . Note that we preferred 





Fig. 7. Percentage of immediate neighbors that share more than th fractional keys for r s = 0.5, A= 10.000 for, (a) varying guard density p g , (b) varying 
guard communication range R. Percentage of non-immediate neighbors that share more than th fractional keys for r s = 0.5, A= 10.000 for, (c) varying guard 
density p g , (d) varying guard communication range R. 


to plot Rimmed vs. GH S — th , instead of th since th varies 
locally for every node 8 depending on GH S . 

We observe in figure 7(a) that an increase in p g , requires a 
higher difference GH S — th to achieve the same Pimmed • This 
is due to the fact that while increasing density increases the 
number of guards heard by more nodes, the joint probability of 
many guards being heard by multiple nodes does not increase 
as much as GH S . Hence, a threshold value close to GH S will 
isolate a node s from many of its one-hop neighbors. Hence, 
we need to select a th significantly lower than GH S . Figure 
7(b) presents pimmed for different guard communication range 
R. Note that an increase in R requires a th significantly lower 
than GH S , to avoid one-hop neighbor isolation. 

Isolation of non-immediate neighbors: In our second experi- 
ment we evaluated the percentage of non-immediate neighbors 
Pnon-im that share more than th fractional keys as th varied. 
For each node, we took into account in the percentage calcu- 
lation, only those neighbors that heard at least one common 
guard with the node under consideration. 

In figure 7(c), we show both p n 0 n-im vs. GH S — th in a 
logarithmic scale for varying p g , and show how we can achieve 
higher isolation of non-immediate neighbors with the increase 
of p g . This is due to the fact that as p g increases, more guards 
are heard to each node and hence, we can adjust the threshold 
with better accuracy compared to the case where GH S has 
a low value. In figure 7(d), we present both pimmed and 
Pnon-im for different guard-to-node communication range R , 
and show how we achieve higher isolation of non-immediate 
neighbors with the increase of R. 

Choosing the threshold value: From figures 7(a)-(d) we can 
determine the appropriate value of threshold th based on our 
security constraint and system parameters. For example, if our 
security constraint requires a non-immediate neighbor isolation 
above 99%, we can achieve a Pimmed = 0.64 for p g = 0.01 
when th = GH S — 2. By increasing the guard density to p g = 
0.04 for the same constraints, we can achieve a Pimmed — 0.90. 
Hence, under any security constraints, we can select the system 
parameters, p g , R , so that we maximize Pimmed , while keeping 
Pnon-im under the given constraint. 


VII. Conclusion 

We presented a graph theoretic approach characterizing 
recently reported [1] wormhole attacks on wireless ad hoc 
networks. We derived the necessary and sufficient conditions for 
any transformation to remove wormholes, and showed that any 
candidate solution preventing a wormhole attack must produce 
a connected subgraph of the geometric graph model of the net- 
work. We also proposed a cryptography-based solution relying 
on local broadcast keys and provided a distributed mechanism 
for establishing them in randomly deployed networks. We 
analytically determined the level of security achieved by our 
scheme based on spatial statistics theory. We showed that the 
appropriate choice of network parameters eliminates wormhole 
links with a probability close to unity and verified the validity of 
our results via simulations. It is our claim that in the absence 
of location or distance bounding, we must use probabilistic 
techniques for dealing with wormholes. 
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